A deeper look at Equation Editor CVE-2017-11882 with encoded Shellcode

Our sample today comes from My Online Security @dvk01uk from this Twitter thread Here.  The First one I had started to work on comes from this Twitter thread  here from April 26 of 2019.

The encoding on the shellcode uses a method similar to Shakita Ga Nai encoding.

I would also like to thank  Denis O’Brien @Malwageddon for pointing me to this video on how to set up the vm to use X86Dbg to load when the equation editor loaded.

I would also like to thank him for giving me the tip of setting a break point at 0x00411874 on the return instruction for the font record. This can get you close to where you need to be but then you have to step thru from there.

Also this blog post had some helpful information on breakpoints that helped while trying to run this with the debugger attached.

Before we jump into the debugger let take a look at the file and extract the shellcode.

When we first open the file we see

File-1

Here we can see it is a zip file so lets just unzip it to get the file structure.

File-2

Let’s look in the “xl” folder.

file-3

Now we need embeddings.

File-4

Let take a look at this file in a hex editor.

File-5

This is an OLE file so we can just use 7Zip to extract the contents.

file-6

This a Ole0Native binary file so lets see what is in this.

File-7

By the looks of this. It does not appear to have any other headers so this is our shellcode that gets run.

Lets copy all of the data here and drop it into CyberChef.

CyberChef

Let’s take a closer look at this in Notepad++ with the colors for assembly.

CyberChefColor-1

Now lets do some math at the beginning.

blogpost-bp-b

After doing the math here we can refer back to the blog post and see that the result matches Globallock.

So let jump Into the debugger. After getting to the fonts and finding the corrupted one we step thru and find what we are looking for. The Beginning Of our Shellcode.

InShellCode

The values just above notepad are the ones we see in our debugger. Finally on the right track.

After loading Globallock and returning from Kernal32 we end up in a series of jumps.

MultipleJumps

Here I was able to get a graph of the function calls

StartOfJumpGraph

The Part we need to understand is at the top where it goes into the loop.

Loop

Here we can See the value that will be used as a Multiplier.

Multiplyer

You can Also see my notes from a previous run  the values we need to find.

So After running thru all of this we can find the decoded Shellcode in ECX.

DecodedPayload

While stepping thru this I also copied the assembly and the current values to a text documents. Lets take a closer look at the flow.

AsmValues

Now we have a better understand of how the decoding works. Here is a more Simple Version.

DecodingNotes-Final-A

Now we can build a decoder for this.

We need 3 values that we can get from the Cyberchef output. The Multiply value, the Addition Value And the Length value.

We will look at the length value first.

ShekkCodelen

So now we need to find where this is in the Shellcode we extracted.

As it turns out if we just extract from the end of the shellcode data the amount here 0x2A7  then that is the data we will be decoding.

ShellCodeSelect

This is now our encoded shell code. We can copy paste this to the new tool, get the other to values and click a button.

If we are right then you should see the decoded values clearly.

Decoded-Payload-Tool

DecodedClose

So now we can decode these by extracting the shellcode from the file, copy paste to to Cyberchef to get the Assembly, look for the required parameters and finally input them into the tool and click a button for the result without having to run the file.

Although you can just run them and get the URL where it calls to, this will give you what else in the shellcode and and what API’s are run.

The few different ones I have done have all worked just a bit different under the hood even though they have the same effect of just calling out to some site somewhere and downloading a file.

If you click on the Twitter link to this sample an then click on the CVE- tag at the top it will present you with , at the time of research, 116 pages of files that potentially use this type of encoding.

That’s it for this one. I hope you learned something too.

 

Links to URL’s in this post:

Twitter Link for this sample

AnyRun Task Link for this sample.

Link to blog post with the different values

Link to the video on how to set up X86Dbg to attach to the Equation editor.

Link to My Github with tool and decoding notes.

Advertisements

About pcsxcetrasupport3

My part time Business, I mainly do system building and system repair. Over the last several years I have been building system utility's in vb script , HTA applications and VB.Net to be able to better find the information I need to better understand the systems problems in order to get the systems repaired and back to my customers quicker.
This entry was posted in Malware, security and tagged , , , . Bookmark the permalink.

1 Response to A deeper look at Equation Editor CVE-2017-11882 with encoded Shellcode

  1. Pingback: Those Pesky Powershell Shellcode’s And How To Understand Them | PC's Xcetra Support

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s